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SYSTEMS AND METHODS FOR SECURE TRANSACTION 
MANAGEMENT AND ELECTRONIC RIGHTS PROTECTION 



Field(fl) of the Inventionffl) 

This invention generally relates to computer and/or 
electronic security. 

More particularly, this invention relates to systems and 
techniques for secure transaction management. This invention 
also relates to computer-based and other electronic appliance- 
based technologies that help to ensure that information is 
accessed and/or otherwise used only in authorized ways, and 
maintains the integrity, availability, and/or confidentiality of 
such information and processes related to such use. 

The invention also relates to systems and methods for 
protecting rights of various participants in electronic commerce 
and other electronic or electronically-facilitated transactions. 

The invention also relates to secure chains of handling and 
control for both information content and information employed to 
regulate the use of such content and consequences of such use. It 
also relates to systems and techniques that manage, including 
meter and/or limit and/or otherwise monitor use of electronically 
stored and/or disseminated information. The invention 
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particularly relates to transactions, conduct and arrangements 
that make use of, including consequences of use of, such systems 
and/or techniques. 

The invention also relates to distributed and other 
operating systems, environments and architectures. It also 
generally relates to secure architectures, including, for example, 
tamper-resistant hardware-based processors, that can be used to 
establish security at each node of a distributed system. 

Background and Summary of the Invention(s) 

Telecommunications, financial transactions, government 
processes, business operations, entertainment, and personal 
business productivity all now depend on electronic appliances. 
Millions of these electronic appliances have been electronically 
connected together. These interconnected electronic appliances 
comprise what is increasingly called the "information highway." 
Many businesses, academicians, and government leaders are 
concerned about how to protect the rights of citizens and 
organizations who use this information (also "electronic" or 
"digital") highway. 

Electronic Content 

Today, virtually anything that can be represented by 
words, numbers, graphics, or system of commands and 
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instructions can be formatted into electronic digital information. 
Television, cable, satellite transmissions, and on-line services 
transmitted over telephone lines, compete to distribute digital 
information and entertainment to homes and businesses. The 

5 owners and marketers of this content include software 

developers, motion picture and recording companies, publishers 
of books, magazines, and newspapers, and information database 
providers. The popularization of on-line services has also enabled 
the individual personal computer user to participate as a content 

10 provider. It is estimated that the worldwide market for electronic 

information in 1992 was approximately $40 billion and is 
expected to grow to $200 billion by 1997, according to Microsoft 
Corporation. The present invention can materially enhance the 
revenue of content providers, lower the distribution costs and the 

1 5 costs for content, better support advertising and usage 

information gathering, and better satisfy the needs of electronic 
information users. These improvements can lead to a significant 
increase in the amount and variety of electronic information and 
the methods by which such information is distributed. 

20 

The inability of conventional products to be shaped to the 
needs of electronic information providers and users is sharply in 
contrast to the present invention. Despite the attention devoted 
by a cross-section,of America's largest telecommunications, 
25 computer, entertainment and information provider companies to 
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some of the problem addressed by the present invention, only 
the present invention provides commercially secure, effective 

solution, for configurable, general purpose electronic commerce 

traiisartwn/distribution control systems. 

Controlling Electronic Content 

The present invention provides a new kind of "virtual 
distribution environment- (called "VDE" in this document) that 
secures, administers, and audits electronic information use. VDE 
also features fundamentally important capabilities for managing 
content that travels "across" the "information highway." These 
capabilities comprise a rights protection solution that serves all 
electronic community members. These members include content 
creators and distributors, financial service providers, end-users, 
and others. VDE is the first general purpose, configurable, 
transaction control/rights protection solution for users of 
computers, other electronic appliances, networks, and the 
information highway. 

A Fundamental problem for electronic content providers is 
extending their ability to control the use of proprietary 
information. Content providers often need to limit use to 
authorized activities and amounts. Participants in a business 
model involving, for example, provision of movies and advertising 
on optical discs may include actors, directors, script and other 
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writers, musicians, studios, publishers, distributors, retailers, 
advertisers, credit card services, and content end-users. These 
participants need the ability to embody their range of agreements 
and requirements, including use limitations, into an "extended" 

5 agreement comprising an overall electronic business model. This 

extended agreement is represented by electronic content control 
information that can automatically enforce agreed upon rights 
and obligations. Under VDE, such an extended agreement may 
comprise an electronic contract involving all business model 
10 participants. Such an agreement may alternatively, or in 

addition, be made up of electronic agreements between subsets of 
the business model participants. Through the use of VDE, 
electronic commerce can function in the same way as traditional 
commerce— that is commercial relationships regarding products 

15 and services can be shaped through the negotiation of one or 

more agreements between a variety of parties. 

Commercial content providers are concerned with ensuring 
proper compensation for the use of their electronic information. 
20 Electronic digital information, for example a CD recording, can 

. today be copied relatively easily and inexpensively. Similarly, 
unauthorized copying and use of software programs deprives 
rightful owners of billions of dollars in annual revenue according 
to the International Intellectual Property Alliance. Content 
25 providers and distributors have devised a number of limited 
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function rights protection mechanisms to protect their rights. 
Authorization passwords and protocols, license servers, 
lock/unlock" distribution methods, and non-electronic 
contractual limitations imposed on users of shrink-wrapped 
software are a few of the more prevalent content protection 
schemes. In a commercial context, these efforts are inefficient 
and limited solutions. 

Providers of "electronic currency" have also created 
protections for their type of content. These systems are not 
sufficiently adaptable, efficient, nor flexible enough to support 
the generalized use of electronic currency. Furthermore, they do 
not provide sophisticated auditing and control configuration 
capabilities. This means that current electronic currency tools 
lack the sophistication needed for many real-world financial 
business models. VDE provides means for anonymous currency 
and for "conditionally'' anonymous currency, wherein currency 
related activities remain anonymous except under special 
circumstances. 



VDE Control Capabilities 

VDE allows the owners and distributors of electronic 
digital information to reliably bill for, and securely control, audit, 
and budget the use of, electronic information. It can reliably 
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10 



detect and monitor the use of commercial information products. 
VDE uses a wide variety of different electronic information 
delivery means: including, for example, digital networks, digital 
broadcast, and physical storage media such as optical and 
magnetic disks. VDE can be used by major network providers, 
hardware manufacturers, owners of electronic information, 
providers of such information, and clearinghouses that gather 
usage information regarding, and bill for the use of, electronic 
information. 



VDE provides comprehensive and configurable transaction 
management, metering and monitoring technology. It can 
change how electronic information products are protected, 
marketed, packaged, and distributed. When used, VDE should 

15 result in higher revenues for information providers and greater 

user satisfaction and value. Use of VDE will normally result in 
lower usage costs, decreased transaction costs, more efficient 
access to electronic information, re-usability of rights protection 
and other transaction management implementations, greatly 

20 improved flexibility in the use of secured information, and 

greater standardization of tools and processes for electronic 
transaction management. VDE can be used to create an 
adaptable environment that fulfills the needs of electronic 
information owners, distributors, and users; financial 

25 clearinghouses; and usage information analyzers and resellers. 
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Bights and Control Information 

In general, the present invention can be used to protect the 
rights of parties who have: 



(a) 



(b) 



(c) 



proprietary or confidentiality interests in electronic 
information. It can, for example, help ensure that 
information is used only in authorized ways; 

financial interests resulting from the use of 
electronically distributed information. It can help 
ensure that content providers will be paid for use of 
distributed information; and 

interests in electronic credit and electronic currency 
storage, communication, and/or use including 
electronic cash, banking, and purchasing. 



Protecting the rights of electronic community members 
involves a broad range of technologies. VDE combines these 
technologies in a way that creates a "distributed" electronic 
rights protection "environment." This environment secures and 
protects transactions and other processes important for rights 
protection. VDE, for example, provides the ability to prevent, or 
impede, interference with and/or observation of, important rights 
related transactions and processes. VDE, in its preferred 
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embodiment, uses special purpose tamper resistant Secure 
Processing Units (SPUs) to help provide a high level of security 
for VDE processes and information storage and communication. 

5 The rights protection problems solved by the present 

invention are electronic versions of basic societal issues. These 
issues include protecting property rights, protecting privacy 
rights, properly compensating people and organizations for then- 
work and risk, protecting money and credit, and generally 

10 protecting the security of information. VDE employs a system 

that uses a common set of processes to manage rights issues in 
an efficient, trusted, and cost-effective way. 

VDE can be used to protect the rights of parties who create 
15 electronic content such as, for example: records, games, movies, 

newspapers, electronic books and reference materials, personal 
electronic mail, and confidential records and communications. 
The invention can also be used to protect the rights of parties 
who provide electronic products, such as publishers and 
20 distributors; the rights of parties who provide electronic credit 

and currency to pay for use of products, for example, credit 
clearinghouses and banks; the rights to privacy of parties who 
use electronic content (such as consumers, business people, 
governments); and the privacy rights of parties described by 
25 electronic information, such as privacy rights related to 
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information contained in a medical record, tax record, or 
personnel record. 

In general, the present invention can protect the rights of 
parties who have: 

(a) commercial interests in electronically distributed 

information - the present invention can help ensure, 
for example, that parties, will be paid for use of 
distributed information in a manner consistent with 
their agreement; 



(b) 



proprietary and/or confidentiality interests in 
electronic information - the present invention can, 
for example, help ensure that data is used only in 
authorized ways; 



(c) interests in electronic credit and electronic currency 
storage, communication, and/or use - this can 
include electronic cash, banking, and purchasing; 
and 

(d) interests in electronic information derived, at least 
in part, from use of other electronic information. 

VDE Functional Properties 
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VDE is a cost-effective and efficient rights protection 
solution that provides a unified, consistent system for securing 
and managing transaction processing. VDE can: 

(a) audit and analyze the use of content, 

(b) ensure that content is used only in authorized ways, 
and 

(c) allow information regarding content usage to be used 
only in ways approved by content users. 

In addition, VDE: 

(a) is very configurable, modifiable, and re-usable; 

(b) supports a wide range of useful capabilities that may 
be combined in different ways to accommodate most 
potential applications; 

(c) operates on a wide variety of electronic appliances 
ranging from hand-held inexpensive devices to large 
mainframe computers; 
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(d) is able to ensure the various rights of a number of 
different parties, and a number of different rights 
protection schemes, simultaneously; 

(e) is able to preserve the rights of parties through a 
series of transactions that may occur at different 
times and different locations; 

(f) is able to flexibly accommodate different ways of 
securely delivering information and reporting usage 
and 



(g) provides for electronic analogues to "real" money and 
credit, including anonymous electronic cash, to pay 
for products and services and to support personal 
(including home) banking and other financial 
activities. 



VDE economically and efficiently fulfills the rights 
protection needs of electronic community members. Users of 
VDE will not require additional rights protection systems for 
different information highway products and rights problems— i 
will they be required to install and learn a new system for each 
new information highway application. 
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VDE provides a unified solution that allows all content 
creators, providers, and users to employ the same electronic 
rights protection solution. Under authorized circumstances, the 
participants can freely exchange content and associated content 
control sets. This means that a user of VDE may, if allowed, use 
the same electronic system to work with different kinds of 
content having different sets of content control information. The 
content and control information supplied by one group can be 
used by people who normally use content and control information 
supplied by a different group. VDE can allow content to be 
exchanged "universally" and users of an implementation of the 
present invention can interact electronically without fear of 
incompatibilities in content control, violation of rights, or the 
need to get, install, or learn a new content control system. 

The VDE securely administers transactions that specify 
protection of rights. It can protect electronic rights including, for 
example: 

(a) the property rights of authors of electronic content, 

(b) the commercial rights of distributors of content, 



25 



(0 



the rights of any parties who facilitated the 
distribution of content, 
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(d) the privacy rights of users of content, 

(e) the privacy rights of parties portrayed by stored 
and/or distributed content, and 

(f) any other rights regarding enforcement of electronic 
agreements. 

VDE can enable a very broad variety of electronically enforced 
commercial and societal agreements. These agreements can 
include electronically implemented contracts, licenses, laws, 
regulations, and tax collection. 

Contrast With Traditional Solution. 

Traditional content control mechanisms often require users 
to purchase more electronic information than the user needs or 
desires. For example, infrequent users of shrink-wrapped 
software are required to purchase a program at the same price as 
frequent users, even though they may receive much less value 
from their less frequent use. Traditional systems do not scale 
cost according to the extent or character of usage and traditional 
systems can not attract potential customers who find that a fixed 
price is too high. Systems using traditional mechanisms are also 
not normally particularly secure. For example, shrink-wrapping 
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does not prevent the constant illegal pirating of software once 
removed from either its physical or electronic package. 

Traditional electronic information rights protection 
systems are often inflexible and inefficient and may cause a 
content provider to choose costly distribution channels that 
increase a product's price. In general these mechanisms restrict 
product pricing, configuration, and marketing flexibility. These 
compromises are the result of techniques for controlling 
information which cannot accommodate both different content 
models and content models which reflect the many, varied 
requirements, such as content delivery strategies, of the model 
participants. This can limit a provider's ability to deliver 
sufficient overall value to justify a given product's cost in the eyes 
of many potential users. VDE allows content providers and 
distributors to create applications and distribution networks that 
reflect content providers' and users' preferred business models. 
It offers users a uniquely cost effective and feature rich system 
that supports the ways providers want to distribute information 
and the ways users want to use such information. VDE supports 
content control models that ensure rights and allow content 
delivery strategies to be shaped for maximum commercial results. 
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Chain of Handling and Control 

VDE can protect a collection of rights belonging to various 
parties having in rights in, or to, electronic infonnation. This 
infonnation may be at one location or dispersed across (and/or 
moving between) multiple locations. The information may pass 
through a "chain" of distributors and a "chain" of users. Usage 
infonnation may also be reported through one or more -chains- of 
parties. In general, VDE enables parties that (a) have rights in 
electronic information, and/or (b) act as direct or indirect agents 
for parties who have rights in electronic information, to ensure 
that the moving, accessing, modifying, or otherwise using of 
information can be securely controlled by rules regarding how, 
when, where, and by whom such activities can be performed. ' 

VDE Applications and Software 

VDE is a secure system for regulating electronic conduct 
and commerce. Regulation is ensured by control information put 
in place by one or more parties. These parties may include 
content providers, electronic hardware manufacturers, financial 
service provider*, or electronic "infrastructure" companies such 
as cable or telecommunications companies. The control 
information implements "Rights Applications." Rights 
applications "run on" the "base software" of the preferred 
embodiment. This base software serves as a secure, flexible, 
general purpose foundation that can accommodate many 
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different rights applications, that is, many different business 
models and their respective participant requirements. 

A rights application under VDE is made up of special 
5 purpose pieces, each of which can correspond to one or more basic 

electronic processes needed for a rights protection environment. 
These processes can be combined together like building blocks to 
create electronic agreements that can protect the rights, and may 
enforce fulfillment of the obligations, of electronic information 

10 users and providers. One or more providers of electronic 

information can easily combine selected building blocks to create 
a rights application that is unique to a specific content 
distribution model. A group of these pieces can represent the 
capabilities needed to fulfill the agreement(s) between users and 

15 providers. These pieces accommodate many requirements of 

electronic commerce including: 

! the distribution of permissions to use electronic 
information; 

20 

! the persistence of the control information and sets of 
control information managing these permissions; 

! configurable control set information that can be 
25 selected by users for use with such information; 
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! data security and usage auditing of electronic 
information; and 

! « secure system for currency, compensation and 
debit management. 

For electronic commerce, a rights application, under the 
preferred embodiment of the present invention, can provide 
electronic enforcement of the business agreements between all 
participants. Since different groups of components can be put 
together for different applications, the present invention can 
provide electronic control information for a wide variety of 
different products and markets. This means the present 
invention can provide a -unified," efficient, secure, and 
cost-effective system for electronic commerce and data security. 
This allows VDE to serve as a single standard for electronic 
rights protection, data security, and electronic currency and 
banking. 



In a VDE, the separation between a rights application and 
its foundation permits the efficient selection of sets of control 
information that are appropriate for each of many different types 
of applications and uses. These control sets can reflect both 
rights of electronic community members, as well as obligations 
( such as providing a history of one's use of a product or paying 
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taxes on one's electronic purchases). VDE flexibility allows its 
users to electronically implement and enforce common social and 
commercial ethics and practices. By providing a unified control 
system, the present invention supports a vast range of possible 
5 transaction related interests and concerns of individuals, 

communities, businesses, and governments. Due to its open 
design, VDE allows (normally under securely controlled 
circumstances) applications using technology independently 
created by users to be "added" to the system and used in 
10 conjunction with the foundation of the invention. In sum, VDE 

provides a system that can fairly reflect and enforce agreements 
among parties. It is a broad ranging and systematic solution that 
answers the pressing need for a secure, cost-effective, and fair 
electronic environment. 

15 

VDE Implementation 

The preferred embodiment of the present invention 
includes various tools that enable system designers to directly 
insert VDE capabilities into their products. These tools include 

20 an Application Programmer's Interface ("API") and a Rights 

Permissioning and Management Language ("RPML"). The 
RPML provides comprehensive and detailed control over the use 
of the invention's features. VDE also includes certain user 
interface subsystems for satisfying the needs of content 

25 providers, distributors, and users. 
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Information distributed using VDE may take many forms. 
It may, for example, be "distributed" for use on an individual's 
own computer, that is the present invention can be used to 
provide security for locally stored data. Alternatively, VDE may 
be used with information that is dispersed by authors and/or 
publishers to one or more recipients. This information may take 
many forms including: movies, audio recordings, games, 
electronic catalog shopping, multimedia, training materials, 
E-mail and personal documents, object oriented libraries, 
software prograinming resources, and reference/record keeping 
information resources (such as business, medical, legal, scientific, 
governmental, and consumer databases). 

Electronic rights protection provided by the present 
invention will also provide an important foundation for trusted 
and efficient home and commercial banking, electronic credit 
processes, electronic purchasing, true or conditionally anonymous 
electronic cash, and EDI (Electronic Data Interchange). VDE 
provides important enhancements for improving data security in 
organizations by providing "smart" transaction management 
features that can be far more effective than key and password 
based "go/no go" technology. 

VDE normally employs an integration of cryptographic and 
other security technologies (e.g. encryption, digital signatures, 



etc.), with other technologies including: component, distributed, 
and event driven operating system technology, and related 
communications, object container, database, smart agent, smart 
card, and semiconductor design technologies. 

I. Overview 

A. VDE Solves Important Problems and Fills 
Critical Needs 

The world is moving towards an integration of electronic 
information appliances. This interconnection of appliances 
provides a foundation for much greater electronic interaction and 
the evolution of electronic commerce. A variety of capabilities are 
required to implement an electronic commerce environment. 
VDE is the first system that provides many of these capabilities 
and therefore solves fundamental problems related to electronic 
dissemination of information. 

Electronic Content 

VDE allows electronic arrangements to be created 
involving two or more parties. These agreements can themselves 
comprise a collection of agreements between participants in a 
commercial value chain and/or a data security chain model for 
handling, auditing, reporting, and payment. It can provide 
efficient, reusable, modifiable, and consistent means for secure 
electronic content: distribution, usage control, usage payment, 
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usage auditing, and usage reporting. Content may, for example, 
include: 

! financial information such as electronic currency and 
credit; 

! commercially distributed electronic information such 
as reference databases, movies, games, and 
advertising; and 



! electronic properties produced by persons and 
organizations, such as documents, e-mail, and 
proprietary database information. 

VDE enables an electronic commerce marketplace that supports 
differing, competitive business partnerships, agreements, and 
evolving overall business models. 



The features of VDE allow it to function as the first trusted 
electronic information control environment that can conform to, 
and support, the bulk of conventional electronic commerce and 
data security requirements. In particular, VDE enables the 
participants in a business value chain model to create an 
electronic version of traditional business agreement terms and 
conditions and further enables these participants to shape and 



evolve their electronic commerce models as they believe 
appropriate to their business requirements. 

VDE offers an architecture that avoids reflecting specific 
distribution biases, administrative and control perspectives, and 
content types. Instead, VDE provides a broad-spectrum, 
fundamentally configurable and portable, electronic transaction 
control, distributing, usage, auditing, reporting, and payment 
operating environment. VDE is not limited to being an 
application or application specific toolset that covers only a 
limited subset of electronic interaction activities and participants. 
Rather, VDE supports systems by which such applications can be 
created, modified, and/or reused. As a result, the present 
invention answers pressing, unsolved needs by offering a system 
that supports a standardized control environment which 
facilitates interoperability of electronic appliances, 
interoperability of content containers, and efficient creation of 
electronic commerce applications and models through the use of a 
programmable, secure electronic transactions management 
foundation and reusable and extensible executable components. 
VDE can support a single electronic "world" within which most 
forms of electronic transaction activities can be managed. 



To answer the developing needs of rights owners and 
content providers and to provide a system that can accommodate 
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the requirements and agreements of all parties that may be 
involved in electronic business models (creators, distributors, 
administrators, users, credit providers, etc.), VDE supplies an 
efficient, largely transparent, low cost and sufficiently secure 
system (supporting both hardware/ software and software only 
models). VDE provides the widely varying secure control and 
administration capabilities required for: 

1. Different types of electronic content, 

2. Differing electronic content delivery schemes, 

3. differing electronic content usage schemes, 

4. Different content usage platforms, and 

5. Differing content marketing and model strategies. 

VDE may be combined with, or integrated into, many 
separate computers and/or other electronic appliances. These 
appliances typically include a secure subsystem that can enable 
control of content use such as displaying, encrypting, decrypting, 
printing, copying, saving, extracting, embedding, distributing, 
auditing usage, etc.. The secure subsystem in the preferred 
embodiment comprises one or more "protected processing 
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environments", one or more secure databases, and secure 
"component assemblies" and other items and processes that need 
to be kept secured. VDE can, for example, securely control 
electronic currency, payments, and/or credit management 
5 (including electronic credit and/or currency receipt, 

disbursement, encumbering, and/or allocation) using such a 
"secure subsystem" 

VDE provides a secure, distributed electronic transaction 
LO management system for controlling the distribution and/or other 

usage of electronically provided and/or stored information. VDE 
controls auditing and reporting of electronic content and/or 
appliance usage. Users of VDE may include content creators who 
apply content usage, usage reporting, and/or usage payment 
15 related control information to electronic content and/or 

appliances for users such as end-user organizations, individuals, 
and content and/or appliance distributors. VDE also securely 
supports the payment of money owed (including money owed for 
content and/or appliance usage) by one or more parties to one or 
20 more other parties, in the form of electronic credit and/or 

currency. 

Electronic appliances under control of VDE represent VDE 
'nodes' that securely process and control; distributed electronic 
25 information and/or appliance usage, control information 
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formulation, and related transactions. VDE can securely manage 
the integration of control information provided by two or more 
parties. As a result, VDE can construct an electronic agreement 
between VDE participants that represent a "negotiation" 
between, the control requirements of, two or more parties and 
enacts terms and conditions of a resulting agreement. VDE 
ensures the rights of each party to an electronic agreement 
regarding a wide range of electronic activities related to 
electronic information and/or appliance usage. 

Through use of VDE's control system, traditional content 
providers and users can create electronic relationships that 
reflect traditional, non-electronic relationships. They can shape 
and modify commercial relationships to accommodate the 
evolving needs of, and agreements among, themselves. VDE does 
not require electronic content providers and users to modify their 
business practices and personal preferences to conform to a 
metering and control application program that supports limited, 
largely fixed functionality. Furthermore, VDE permits 
participants to develop business models not feasible with non- 
electronic commerce, for example, involving detailed reporting of 
content usage information, large numbers of distinct transactions 
at hitherto infeasibly low price points, "pass-along" control 
information that is enforced without involvement or advance 
knowledge of the participants, etc. 
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The present invention allows content providers and users 
to formulate their transaction environment to accommodate: 

(1) desired content models, content control models, and 
content usage information pathways, 

(2) a complete range of electronic media and distribution 
means, 

(3) a broad range of pricing, payment, and auditing 
strategies, 

(4) very flexible privacy and/or reporting models, 

(5) practical and effective security architectures, and 

(6) other administrative procedures that together with 
steps (1) through (5) can enable most "real world" 
electronic commerce and data security models, 
including models unique to the electronic world. 

VDE's transaction management capabilities can enforce: 
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(1) privacy rights of users related to information 
regarding their usage of electronic information 
and/or appliances, 



(2) 



(3) 



societal policy such as laws that protect rights of 
content users or require the collection of taxes 
derived from electronic transaction revenue, and 

the proprietary and/or other rights of parties related 
to ownership of, distribution of, and/or other 
commercial rights related to, electronic information. 



VDE can support "real" commerce in an electronic form, 
that is the progressive creation of commercial relationships that 
form, over time, a network of interrelated agreements 
representing a value chain business model. This is achieved in 
part by enabling content control information to develop through 
the interaction of (negotiation between) securely created and 
independently submitted sets of content and/or appliance control 
information. Different sets of content and/or appliance control 
information can be submitted by different parties in an electronic 
business value chain enabled by the present invention. These 
parties create control information sets through the use of their 
respective VDE installations. Independently, securely 
deliverable, component based control information allows efficient 
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interaction among control information sets supplied by different 
parties. 

VDE permits multiple, separate electronic arrangements to 
be formed between subsets of parties in a VDE supported 
electronic value chain model. These multiple agreements 
together comprise a VDE value chain "extended" agreement. 
VDE allows such constituent electronic agreements, and 
therefore overall VDE extended agreements, to evolve and 
reshape over time as additional VDE participants become 
involved in VDE content and/or appliance control information 
handling. VDE electronic agreements may also be extended as 
new control information is submitted by existing participants. 
With VDE, electronic commerce participants are free to structure 
and restructure their electronic commerce business activities and 
relationships. As a result, the present invention allows a 
competitive electronic commerce marketplace to develop since the 
use of VDE enables different, widely varying business models 
using the same or shared content. 

A significant facet of the present invention's ability to 
broadly support electronic commerce is its ability to securely 
manage independently delivered VDE component objects 
containing controlinformation (normally in the form of VDE 
objects containing one or more methods, data, or load module 
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VDE components). This independently delivered control 
information can be integrated with senior and other pre-existing 
content control information to securely form derived control 
information using the negotiation mechanisms of the present 
invention. All requirements specified by this derived control 
information must be satisfied before VDE controlled content can 
be accessed or otherwise used. This means that, for example, all 
load modules and any mediating data which are listed by the 
derived control information as required must be available and 
securely perform their required function. In combination with 
other aspects of the present invention, securely, independently 
delivered control components allow electronic commerce 
participants to freely stipulate their business requirements and 
trade offs. As a result, much as with traditional, non-electronic 
commerce, the present invention allows electronic commerce 
(through a progressive stipulation of various control 
requirements by VDE participants) to evolve into forms of 
business that are the most efficient, competitive and useful. 

VDE provides capabilities that rationalize the support of 
electronic commerce and electronic transaction management. 
This rationalization stems from the reusability of control 
structures and user interfaces for a wide variety of transaction 
management related activities. As a result, content usage 
control, data security, information auditing, and electronic 



financial activities, can be supported with tools that are reusable, 
convenient, consistent, and familiar. In addition, a rational 
approach — a transaction/distribution control standard — allows 
all participants in VDE the same foundation set of hardware 
control and security, authoring, administration, and 
management tools to support widely varying types of 
information, business market model, and/or personal objectives. 

Employing VDE as a general purpose electronic 
transaction/distribution control system allows users to maintain 
a single transaction management control arrangement on each of 
their computers, networks, communication nodes, and/or other 
electronic appliances. Such a general purpose system can serve 
the needs of many electronic transaction management 
applications without requiring distinct, different installations for 
different purposes. As a result, users of VDE can avoid the 
confusion and expense and other inefficiencies of different, 
limited purpose transaction control applications for each different 
content and/or business model. For example, VDE allows content 
creators to use the same VDE foundation control arrangement for 
both content authoring and for licensing content from other 
content creators for inclusion into their products or for other use. 
Clearinghouses, distributors, content creators, and other VDE 
users can all interact, both with the applications running on their 
VDE installations, and with each other, in an entirely consistent 
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same 



manner, using and reusing (largely transparently) the 
distributed tools, mechanisms, and consistent user interfaces, 
regardless of the type ofVDE activity. 



VDE prevents many forms of unauthorized use of 
electronic informatioii, by controlling and auditing (and other 
administration of use) electronically stored and/or disseminated 
information. This includes, for example, commercially 
distributed content, electronic currency, electronic credit, 
business transactions (such as EDI), confidential 
communications, and the like. VDE can further be used to enable 
commercially provided electronic content to be made available to 
users in user defined portions, rather than constraining the user 
to use portions of content that were predetermined" by a content 
creator and/or other provider for billing purposes. 



VDE, for example, can employ: 



(1) 



(2) 



Secure metering means for budgeting and/or 
auditing electronic content and/or appliance usage; 

Secure flexible means for enabling compensation 
and/or billing rates for content and/or appliance 
usage, including electronic credit and/or currency 
mechanisms for payment means; 
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(3) Secure distributed database means for storing 
control and usage related information (and 
employing validated compartmentalization and 
tagging schemes); 

5 

(4) Secure electronic appliance control means; 

(5) A distributed, secure, "virtual black box* comprised 
of nodes located at every user (including VDE 

10 content container creators, other content providers, 

client users, and recipients of secure VDE content 
usage information) site. The nodes of said virtual 
black box normally include a secure subsystem 
having at least one secure hardware element (a 

15 semiconductor element or other hardware module for 

securely executing VDE control processes), said 
secure subsystems being distributed at nodes along a 
pathway of information storage, distribution, 
payment, usage, and/or auditing. In some 

20 embodiments, the functions of said hardware 

element, for certain or all nodes, may be performed 
by software, for example, in host processing 
environments of electronic appliances; 

25 (6) Encryption and decryption means; 
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(7) Secure communications means employing 

authentication, digital signaturing, and encrypted 
transmissions. The secure subsystems at said user 
nodes utilize a protocol that establishes and 
authenticates each node's and/or participant's 
identity, and establishes one or more secure 
host-to-host encryption keys for communications 
between the secure subsystems; and 



(8) 



Secure control means that can allow each VDE 
installation to perform VDE content authoring 
(placing content into VDE containers with associated 
control information), content distribution, and 
content usage; as well as clearinghouse and other 
administrative and analysis activities employing 
content usage information. 



VDE may be used to migrate most non-electronic, 
traditional information delivery models (including entertainment, 
reference materials, catalog shopping, etc.) into an adequately 
secure digital distribution and usage management and payment 
context. The distribution and financial pathways managed by a 
VDE arrangement may include: 

! content creators), 
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distributors), 
redistributor{s), 
client administrators), 
client user(s), 

financial and/or other clearinghouse(s), 
and/or government agencies. 



These distribution and financial pathways may also include: 



10 



15 



20 



advertisers, 

market survey organizations, and/or 
other parties interested in the user usage of 
information securely delivered and/or stored using 
VDE. 



Normally, participants in a VDE arrangement will employ the 
same secure VDE foundation. Alternate embodiments support 
VDE arrangements employing differing VDE foundations. Such 
alternate embodiments may employ procedures to ensure certain 
interoperability requirements are met. 



25 



Secure VDE hardware (also known as SPUs for Secure 
Processing Units), or VDE installations that use software to 
substitute for, or complement, said hardware (provided by Host 
Processing Environments (HPEs)), operate in conjunction with 
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secure commutations, systems integration software, and 
distributed software control information and support structures, 
to achieve the electronic contract/rights protection environment 
of the present invention. Together, these VDE components 
comprise a secure, virtual, distributed content and/or appliance 
control, auditing (and other administration), reporting, and 
payment environment. In some embodiments and where 
commercially acceptable, certain VDE participants, such as 
clearinghouses that normally maintain sufficiently physically 
secure non-VDE processing environments, may be allowed to 
employ HPEs rather VDE hardware elements and interoperate, 

for example, with VDE end-users and content providers. VDE 
components together comprise a configurable, consistent, secure 
and "trusted" architecture for distributed, asynchronous control 
of electronic content and/or appliance usage. VDE supports a 
"universe wide" environment for electronic content delivery, 
broad dissemination, usage reporting, and usage related payment 
activities. 

VDE provides generalized configurability. This results, in 
part, from decomposition of generalized requirements for 
supporting electronic commerce and data security into a broad 
range of constituent "atomic" and higher level components (such 
as load modules, data elements, and methods) that may.be 
variously aggregated together to form control methods for 
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electronic commerce applications, commercial electronic 
agreements, and data security arrangements. VDE provides a 
secure operating environment employing VDE foundation 
elements along with secure independently deliverable VDE 
5 components that enable electronic commerce models and 

relationships to develop. VDE specifically supports the unfolding 
of distribution models in which content providers, over time, can 
expressly agree to, or allow, subsequent content providers and/or 
users to participate in shaping the control information for, and 

10 consequences of, use of electronic content and/or appliances. A 

very broad range of the functional attributes important for 
supporting simple to very complex electronic commerce and data 
security activities are supported by capabilities of the present 
invention. As a result, VDE supports most types of electronic 

15 information and/or appliance: usage control (including 

distribution), security, usage auditing, reporting, other 
administration, and payment arrangements. 

VDE, in its preferred embodiment, employs object software 
20 technology and uses object technology to form "containers" for 

delivery of information that is (at least in part) encrypted or 
otherwise secured. These containers may contain electronic 
content products or other electronic information and some or all 
of their associated permissions (control) information. These 
25 container objects may be distributed along pathways involving 
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content provider, and/or content users. Tie, may be securely 
moved among nodes of a Virtual Distribution Environment 
(VDE) arrangement, which nodes operate VDE foundation 
software and execute control methods to enact electronic 
information usage control and/or admimstration models. The 
containers delivered through use of the preferred embodiment of 
the present invention may be employed both for distributing VDE 
control instructions (information) and/or to encapsulate and 
electronically distribute content that has been at least partially 



secured. 



r Content providers who employ the present invention may 
include, for example, software application and game publishers, 
database publishers, cable, television, and radio broadcasters, 
electronic shopping vendors, and distributors of information in 
electronic document, book, periodical, e-mail and/or other forms. 
Corporations, government agencies, and/or individual "end-users" 
who act as storers of, and/or distributors of, electronic 
information, may also be VDE content providers (in a restricted 
model, a user provides content only to himself and employs VDE 
to secure his own confidential information against unauthorized 
use by other parties). Electronic information may include 
proprietary and/or confidential information for personal or 
internal organization use, as well as information, such as 
software applications, documents, entertainment materials, 



and/or reference information, which may be provided to other 
parties. Distribution may be by, for example, physical media 
delivery, broadcast and/or telecommunication means, and in the 
form of "static" files and/or streams of data. VDE may also be 
used, for example, for multi-site "real-time" interaction such as 
teleconferencing, interactive games, or on-line bulletin boards, 
where restrictions on, and/or auditing of, the use of all or portions 
of communicated information is enforced. 

VDE provides important mechanisms for both enforcing 
commercial agreements and enabling the protection of privacy 
rights. VDE can securely deliver information from one party to 
another concerning the use of commercially distributed electronic 
content. Even if parties are separated by several "steps" in a 
chain (pathway) of handling for such content usage information, 
such information is protected by VDE through encryption and/or 
other secure processing. Because of that protection, the accuracy 
of such information is guaranteed by VDE, and the information 
can be trusted by all parties to whom it is delivered. 
Furthermore, VDE guarantees that all parties can trust that 
such information cannot be received by anyone other than the 
intended, authorized, party(ies) because it is encrypted such that 
only an authorized party, or her agents, can decrypt it. Such 
information may also be derived through a secure VDE process at 
a previous pathway-of-handling location to produce secure VDE 
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reporting information that is then communicated securely to its 
intended recipients VDE secure subsystem. Because VDE can 
deliver such information securely, parties to an electronic 
agreement need not trust the accuracy of commercial usage 
and/or other information delivered through means other than 
those under control of VDE. 

VDE participants in a commercial value chain can be 
"commercially" confident (that is, sufficiently confident for 
commercial purposes) that the direct (constituent) and/or 
"extended" electronic agreements they entered into through the 
use of VDE can be enforced reliably. These agreements may have 
both "dynamic" transaction management related aspects, such 
content usage control information enforced through budgeting, 
metering, and/or reporting of electronic information and/or 
appliance use, and/or they may include "static" electronic 
assertions, such as an end-user using the system to assert his or 
her agreement to pay for services, not to pass to unauthorized 
parties electronic information derived from usage of content or 
systems, and/or agreeing to observe copyright laws. Not only can 
electronically reported transaction related information be trusted 
under the present invention, but payment may be automated by 
the passing of payment tokens through a pathway of payment 
(which may or may not be the same as a pathway for reporting). 
Such payment can be contained within a VDE container created 



as 
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automatically by a VDE installation in response to control 
information (located, in the preferred embodiment, in one or more 
permissions records) stipulating the "withdrawal" of credit or 
electronic currency (such as tokens) from an electronic account 
5 (for example, an account securely maintained by a user's VDE 

installation secure subsystem) based upon usage of VDE 
controlled electronic content and/or appliances (such as 
governments, financial credit providers, and users). 

IQ VDE allows the needs of electronic commerce participants 

to be served and it can bind such participants together in a 
universe wide, trusted commercial network that can be secure 
enough to support very large amounts of commerce. VDE's 
security and metering secure subsystem core will be present at 

15 all physical locations where VDE related content is (a) assigned 

usage related control information (rules and mediating data), 
and/or (b) used. This core can perform security and auditing 
functions (including metering) that operate within a "virtual 
black box," a collection of distributed, very secure VDE related 

20 hardware instances that are interconnected by secured 

information exchange (for example, telecommunication) processes 
and distributed database means. VDE further includes highly 
configurable transaction operating system technology, one or 
more associated libraries of load modules along with affiliated 

25 data, VDE related aclministration, data preparation, and analysis 
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application*, as well as system software designed to enable VDE 

integration into host environments and applications. VDE's 
usage control information, for example, provide for property 
content and/or appliance related: usage authorization, usage 
auditing (which may include audit reduction), usage billing, 
usage payment, privacy filtering, reporting, and security related 
communication and encryption techniques. 

VDE extensively employs methods in the form of software 
objects to augment configurability, portability, and security of the 
VDE environment. It also employs a software object architecture 
for VDE content containers that carries protected content and 
may also carry both freely available information (e.g, summary, 
table of contents) and secured content control information which 
ensures the performance of control information. Content control 
information governs content usage according to criteria set by 
holders of rights to an object's contents and/or according to 
parties who otherwise have rights associated with distributing 
such content (such as governments, financial credit providers, 
and users). 

In part, security is enhanced by object methods employed 
by the present invention because the encryption schemes used to 
protect an object can efficiently be further used to protect the 
associated content control information (software control 



information and relevant data) from modification. Said object 
techniques also enhance portability between various computer 
and/or other appliance environments because electronic 
information in the form of content can be inserted along with (for 
example, in the same object container as) content control 
information (for said content) to produce a "published" object. As 
a result, various portions of said control information may be 
specifically adapted for different environments, such as for 
diverse computer platforms and operating systems, and said 
various portions may all be carried by a VDE container. 

An objective of VDE is supporting a 
transaction/distribution control standard. Development of such a 
standard has many obstacles, given the security requirements 
and related hardware and communications issues, widely 
differing environments, information types, types of information 
usage, business and/or data security goals, varieties of 
participants, and properties of delivered information. A 
significant feature of VDE accommodates the many, varying 
distribution and other transaction variables by, in part, 
decomposing electronic commerce and data security functions 
into generalized capability modules executable within a secure 
hardware SPU and/or corresponding software subsystem and 
further allowing,extensive flexibility in assembling, modifying, 
and/or replacing, such modules (e.g. load modules and/or 
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methods) in applications run on a VDE installation foundation. 
This configurability and reconfigurabiHty allows electronic 
commerce and data security participants to reflect their priorities 
and requirements through a process of iteratively shaping an 
evolving extended electronic agreement (electronic control 
model). This shaping can occur as content control information 
passes from one VDE participant to another and to the extent 
allowed by "in place" content control information. This process 
allows users of VDE to recast existing control information and/or 
add new control information as necessary (including the 
elimination of no longer required elements). 

VDE supports trusted (sufficiently secure) electronic 
information distribution and usage control models for both 
commercial electronic content distribution and data security 
applications. It can be configured to meet the diverse 
requirements of a network of interrelated participants that may 
include content creators, content distributors, client 
administrators, end users, and/or clearinghouses and/or other 
content usage information users. These parties may constitute a 
network of participants involved in simple to complex electronic 
content ciissemination, usage control, usage reporting, and/or 
usage payment. Disseminated content may include both 
originally provided and VDE generated information (such as 
content usage information) and content control information may 
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persist through both chains (one or more pathways) of content 
and content control information handling, as well as the direct 
usage of content The configurability provided by the present 
invention is particularly critical for supporting electronic 
5 commerce, that is enabling businesses to create relationships and 

evolve strategies that offer competitive value. Electronic 
commerce tools that are not inherently configurable and 
interoperable will ultimately fail to produce products (and 
services) that meet both basic requirements and evolving needs of 
10 most commerce applications. 

VDE's fundamental configurability will allow a broad 
range of competitive electronic commerce business models to 
flourish. It allows business models to be shaped to m axim i z e 
15 revenues sources, end-user product value, and operating 

efficiencies. VDE can be employed to support multiple, differing 
models, take advantage of new revenue opportunities, and 
deliver product configurations most desired by users. Electronic 
commerce technologies that do not, as the present invention does: 
20 ! support a broad range of possible, complementary 

revenue activities, 
! offer a flexible array of content usage features most 

desired by customers, and 
! exploit opportunities for operating efficiencies, 
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10 



wiU result in products that are often intrinsically more costly and 
leas appealing and therefore less competitive in the marketplace. 

Some of the key factors contributing to the configurability 
intrinsic to the present invention include: 

(a) integration into the fundamental control 
environment of a broad range of electronic 
appliances through portable API and programming 
language tools that efficiently support merging of 
control and auditing capabilities in nearly any 
electronic appliance environment while maintaining 
overall system security; 



15 ft>) modular data structures; 

(c) generic content model; 

(d) general modularity and independence of foundation 
2® architectural components; 

(e) modular security structures; 



25 



variable length and multiple branching chains of 
control; and 
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(g) independent, modular control structures in the form 
of executable load modules that can be maintained in 
one or more libraries, and assembled into control 
methods and models, and where such model control 
5 schemes can "evolve" as control information passes 

through the VDE installations of participants of a 
pathway of VDE content control information 
handling. 

10 Because of the breadth of issues resolved by the present 

invention, it can provide the emerging "electronic highway" with 
a single transaction/distribution control system that can, for a 
very broad range of commercial and data security models, ensure 
against unauthorized use of confidential and/or proprietary 

15 information and commercial electronic transactions. VDE's 

electronic transaction management mechanisms can enforce the 
electronic rights and agreements of all parties participating in 
widely varying business and data security models, and this can 
be efficiently achieved through a single VDE implementation 

20 within each VDE participant's electronic appliance. VDE 

supports widely varying business and/or data security models 
that can involve a broad range of participants at various "levels" 
of VDE content and/or content control information pathways of 
handling. Different content control and/or auditing models and 

25 agreements may be available on the same VDE installation. 
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These models and agreements may control content in 
relationship to, for example, VDE installations and/or users in 
general; certain specific users, installations, classes and/or other 
groupings of installations and/or users; as well as to electronic 
content generally on a given installation, to specific properties, 
property portions, classes and/or other groupings of content. 

Distribution using VDE may package both the electronic 
content and control information into the same VDE container, 
and/or may involve the delivery to an end-user site of different 
pieces of the same VDE managed property from plural separate 
remot ocations and/or in plural separate VDE content 
containers and/or employing plural different delivery means. 
Content control information may be partially or fully delivered 
separately from its associated content to a user VDE installation 
in one or more VDE ac^ninistrative objects. Portions of said 
control information may be delivered from one or more sources. 
Control information may also be available for use by access from 
a user's VDE installation secure sub-system to one or more 
remote VDE secure sub-systems and/or VDE compatible, certified 
secure remote locations. VDE control processes such as 
metering, budgeting, decrypting and/or fingerprinting, may as 
relates to a certain user content usage activity, be performed in a 
user's local VDE installation secure subsystem, or said processes 
may be divided amongst plural secure subsystems which may be 
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located in the same user VDE installations and/or in a network 
server and in the user installation. For example, a local VDE 
installation may perform decryption and save any, or all of, usage 
metering information related to content and/or electronic 
5 appliance usage at such user installation could be performed at 

the server employing secure (e.g., encrypted) co mmuni cations 
between said secure subsystems. Said server location may also 
be used for near real time, frequent, or more periodic secure 
receipt of content usage information from said user installation, 
10 with, for example, metered information being maintained only 

temporarily at a local user installation. 

Delivery means for VDE managed content may include 
electronic data storage means such as optical disks for delivering 

15 one portion of said information and broadcasting and/or 

telecommunicating means for other portions of said information. 
Electronic data storage means may include magnetic media, 
optical media, combined magneto-optical systems, flash RAM 
memory, bubble memory, and/or other memory storage means 

20 such as huge capacity optical storage systems employing 

holographic, frequency, and/or polarity data storage techniques. 
Data storage means may also employ layered disc techniques, 
such as the use of generally transparent and/or translucent 
materials that pass light through layers of data carrying discs 

25 which themselves are physically packaged together as one 
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thicker disc. Data carrying locations on such discs may be, at 
least in part, opaque. 

VDE supports a general purpose foundation for secure 
transaction management, including usage control, auditing, 
reporting, and/or payment. This general purpose foundation is 
called "VDE Functions'' ("VDEFs"). VDE also supports a 
collection of "atomic" application elements (e.g., load modules) 
that can be selectively aggregated together to form various VDEF 
capabilities called control methods and which serve as VDEF 
applications and operating system functions. When a host 
operating environment of an electronic appliance includes VDEF 
capabilities, it is called a "Rights Operating System" (ROS). 
VDEF load modules, associated data, and methods form a body of 
information that for the purposes of the present invention are 
called "control information." VDEF control information may be 
specifically associated with one or more pieces of electronic 
content and/or it may be employed as a general component of the 
operating system capabilities of a VDE installation. 

VDEF transaction control elements reflect and enact 
content specific and/or more generalized adniinistrative (for 
example, general operating system) control information. VDEF 
capabilities which can generally take the form of applications 
(application models) that have more or less configurability which 
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can be shaped by VDE participants, through the use, for 
example, of VDE templates, to employ specific capabilities, along, 
for example, with capability parameter data to reflect the 
elements of one or more express electronic agreements between 
5 VDE participants in regards to the use of electronic content such 

as commercially distributed products. These control capabilities 
manage the use of, and/or auditing of use of, electronic content, 
as well as reporting information based upon content use, and any 
payment for said use. VDEF capabilities may "evolve" to reflect 

10 the requirements of one or more successive parties who receive or 

otherwise contribute to a given set of control information. 
Frequently, for a VDE application for a given content model (such 
as distribution of entertainment on CD-ROM, content delivery 
from an Internet repository, or electronic catalog shopping and 

15 advertising, or some combination of the above) participants 

would be able to securely select from amongst available, 
alternative control methods and apply related parameter data, 
wherein such selection of control method and/or submission of 
data would constitute their "contribution" of control information. 

20 Alternatively, or in addition, certain control methods that have 

been expressly certified as securely interoperable and compatible 
with said application may be independently submitted by a 
participant as part of such a contribution. In the most general 
example, a generally certified load module (certified for a given 

25 VDE arrangement and/or content class) may be used with many 
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or any VDE application that operates in nodes of said 
arrangement. These parties, to the extent they are allowed, can 
independently and securely add, delete, and/or otherwise modify 
the specification of load modules and methods, as well as add, 
delete or otherwise modify related information. 

Normally the party who creates a VDE content container 
defines the general nature of the VDEF capabilities that will 
and/or may apply to certain electronic information. A VDE 
content container is an object that contains both content ( for 
example, commercially distributed electronic information 
products such as computer software programs, movies, electronic 
publications or reference materials, etc.) and certain control 
information related to the use of the object's content. A creating 
party may make a VDE container available to other parties. 
Control information delivered by, and/or otherwise available for 
use with, VDE content containers comprise (for commercial 
content distribution purposes) VDEF control capabilities (and 
any associated parameter data) for electronic content. These 
capabilities may constitute one or more "proposed" electronic 
agreements (and/or agreement functions available for selection 
and/or use with parameter data) that manage the use and/or the 
consequences of use of such content and which can enact the 
terms and conditions of agreements involving multiple parties 
and their various rights and obligations. 
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A VDE electronic agreement may be explicit, through a 
user interface acceptance by one or more parties, for example by 
a "junior" party who has received control information from a 
"senior" party, or it may be a process amongst equal parties who 

5 individually assert their agreement. Agreement may also result 

from an automated electronic process during which terms and 
conditions are "evaluated" by certain VDE participant control 
information that assesses whether certain other electronic terms 
and conditions attached to content and/or submitted by another 

10 party are acceptable (do not violate acceptable control 

information criteria). Such an evaluation process may be quite 
simple, for example a comparison to ensure compatibility 
between a portion of, or all senior, control terms and conditions in 
a table of terms and conditions and the submitted control 

15 information of a subsequent participant in a pathway of content 

control information handling, or it may be a more elaborate 
process that evaluates the potential outcome of, and/or 
implements a negotiation process between, two or more sets of 
control information submitted by two or more parties. VDE also 

20 accommodates a semi-automated process during which one or 

more VDE participants directly, through user interface means, 
resolve "disagreements" between control information sets by 
accepting and/or proposing certain control information that may 
be acceptable to control information representing one or more 

25 other parties interests and/or responds to certain user interface 
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queries for selection of certain alternative choices and/or for 
certain parameter information, the responses being adopted if 
acceptable to applicable senior control information. 

When another party (other than the first applier of rules), 
perhaps through a negotiation process, accepts, and/or adds to 
and/or otherwise modifies, "in place" content control information, 
a VDE agreement between two or more parties related to the use 
of such electronic content may be created (so long as any 
modifications are consistent with senior control information). 
Acceptance of terms and conditions related to certain electronic 
content may be direct and express, or it may be implicit as a 
result of use of content (depending, for example, on legal 
requirements, previous exposure to such terms and conditions, 
and requirements of in place control information). 

VDEF capabilities may be employed, and a VDE 
agreement may be entered into, by a plurality of parties without 
the VDEF capabilities being directly associated with the 
controlling of certain, specific electronic information. For 
example, certain one or more VDEF capabilities may be present 

at a VDE installation, and certain VDE agreements may have 
been entered into during the registration process for a content 
distribution application, to be used by such installation for 
securely controlling VDE content usage, auditing, reporting 
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and/or payment. Similarly, a specific VDE participant may enter 
into a VDE user agreement with a VDE content or electronic 
appliance provider when the user and/or her appliance register 
with such provider as a VDE installation and/or user. In such 
5 events, VDEF in place control information available to the user 

VDE installation may require that certain VDEF methods are 
employed, for example in a certain sequence, in order to be able 
to use all and/or certain classes, of electronic content and/or VDE 
applications. 

10 

VDE ensures that certain prerequisites necessary for a 
given transaction to occur are met. This includes the secure 
execution of any required load modules and the availability of 
any required, associated data. For example, required load 

15 modules and data (e.g. in the form of a method) might specify 

that sufficient credit from an authorized source must be 
confirmed as available. It might further require certain one or 
more load modules execute as processes at an appropriate time to 
ensure that such credit will be used in order to pay for user use of 

20 the content. A certain content provider might, for example, 

require metering the number of copies made for distribution to 
employees of a given software program (a portion of the program 
might be maintained in encrypted form and require the presence 
of a VDE installation to run). This would require the execution of 

25 a metering method for copying of the property each time a copy 
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was made for another employee. This same provider might also 
charge fees based on the total number of different properties 
licensed from them by the user and a metering history of their 
licensing of properties might be required to maintain this 
information. 



VDE provides organization, commumty, and/or universe 
wide secure environments whose integrity is assured by 
processes securely controlled in VDE participant user 
installations (nodes). VDE installations, in the preferred 
embodiment, may include both software and tamper resistant 
hardware semiconductor elements. Such a semiconductor 
arrangement comprises, at least in part, special purpose circuitry 
that has been designed to protect against tampering with, or 
unauthorized observation of, the information and functions used 
in performing the VDE's control functions. The special purpose 
secure circuitry provided by the present invention includes at 
least one of: a dedicated semiconductor arrangement known as a 
Secure Processing Unit (SPU) and/or a standard microprocessor, 
microcontroller, and/or other processing logic that accommodates 
the requirements of the present invention and functions as an 
SPU. VDE's secure hardware may be found incorporated into, for 
example, a fax/modem chip or chip pack, I/O controller, video 
display controller, and/or other available digital processing 
arrangements. It is anticipated that portions of the present 



invention's VDE secure hardware capabilities may ultimately be 
standard design elements of central processing units (CPUs) for 
computers and various other electronic devices. 

Designing VDE capabilities into one or more standard 
microprocessor, microcontroller and/or other digital processing 
components may materially reduce VDE related hardware costs 
by employing the same hardware resources for both the 
transaction management uses contemplated by the present 
invention and for other, host electronic appliance functions. This 
means that a VDE SPU can employ (share) circuitry elements of 
a "standard" CPU. For example, if a "standard" processor can 
operate in protected mode and can execute VDE related 
instructions as a protected activity, then such an embodiment 
may provide sufficient hardware security for a variety of 
applications and the expense of a special purpose processor might 
be avoided. Under one preferred embodiment of the present 
invention, certain memory (e.g., BAM, ROM, NVRAM) is 
maintained during VDE related instruction processing in a 
protected mode (for example, as supported by protected mode 
microprocessors). This memory is located in the same package as 
the processing logic (e.g. processor). Desirably, the packaging 
and memory of such a processor would be designed using security 
techniques that enhance its resistance to tampering. 
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The degree of overall security of the VDE system is 
primarily dependent on the degree of tamper resistance and 
concealment of VDE control process execution and related data 
storage activities. Employing special purpose semiconductor 
packaging techniques can significantly contribute to the degree of 
security. Concealment and tamper-resistance in semiconductor 
memory (e.g., RAM, ROM, NVRAM) can be achieved, in part, by 
employing such memory within an SPU package, by encrypting 
data before it is sent to external memory (such as an external 
RAM package) and decrypting encrypted data within the 
CPU/RAM package before it is executed. This process is used for 
important VDE related data when such data is stored on 
unprotected media, for example, standard host storage, such as 
random access memory, mass storage, etc. In that event, a VDE 
SPU would encrypt data that results from a secure VDE 

execution before such data was stored in external memory. 

Summary of Some Important Features Provided by VDE in 
Accordance With the Present Invention 

VDE employs a variety of capabilities that serve as a 

foundation for a general purpose, sufficiently secure distributed 

electronic commerce solution. VDE enables an electronic 

commerce marketplace that supports divergent, competitive 

business partnerships, agreements, and evolving overall business 

models. For example, VDE includes features that: 



"sufficiently* impede unauthorized and/or 
uncompensated use of electronic information and/or 
appliances through the use of secure communication, 
storage, and transaction management technologies. 
VDE supports a model wide, distributed security 
implementation which creates a single secure 
"virtual" transaction processing and information 
storage environment. VDE enables distributed VDE 
installations to securely store and communicate 
information and remotely control the execution 
processes and the character of use of electronic 
information at other VDE installations and in a wide 
variety of ways; 

support low-cost, efficient, and effective security 
architectures for transaction control, auditing, 
reporting, and related communications and 
information storage. VDE may employ tagging 
related security techniques, the time-ageing of 
encryption keys, the compartmentalization of both 
stored control information (including differentially 
tagging such stored information to ensure against 
substitution and tampering) and distributed content 
(to, for many content applications, employ one or 
more content encryption keys that are unique to the 
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specific VDE installation and/or user), private key 
techniques such as triple DES to encrypt content, 
public key techniques such as RSA to protect 
conununicationfl and to provide the benefits of digital 
5 signature and authentication to securely bind 

together the nodes of a VDE arrangement, secure 
processing of important transaction management 
executable code, and a combining of a small amount 
of highly secure, hardware protected storage space 
10 with a much larger "exposed" mass media storage 

space storing secured (normally encrypted and 
tagged) control and audit information. VDE employs 
special purpose hardware distributed throughout 
some or all locations of a VDE implementation: a) 
15 said hardware controlling important elements of: 

content preparation (such as causing such content to 
be placed in a VDE content container and 
associating content control information with said 
content), content and/or electronic appliance usage 
20 auditing, content usage analysis, as well as content 

usage control; and b) said hardware having been 
designed to securely handle processing load module 
control activities, wherein said control processing 
activities may involve a sequence of required control 
25 factors; 
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! support dynamic user selection of information 
subsets of a VDE electronic information product 
(VDE controlled content). This contrasts with the 
constraints of having to use a few high level 
5 individual, pre-defined content provider information 

increments such as being required to select a whole 
information product or product section in order to 
acquire or otherwise use a portion of such product or 
section. VDE supports metering and usage control 

10 over a variety of increments (including "atomic" 

increments, and combinations of different increment 
types) that are selected ad hoc by a user and 
represent a collection of pre-identified one or more 
increments (such as one or more blocks of a 

15 preidentified nature, e.g., bytes, images, logically 

related blocks) that form a generally arbitrary, but 
logical to a user, content "deliverable." VDE control 
information (including budgeting, pricing and 
metering) can be configured so that it can specifically 

20 apply, as appropriate, to ad hoc selection of different, 

unanticipated variable user selected aggregations of 
information increments and pricing levels can be, at 
least in part, based on quantities and/or nature of 
mixed, increment selections (for example, a certain 

25 quantity of certain text could mean associated 
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images might be discounted by 15%; a greater 
quantity of text in the "mixed" increment selection 
might mean the images are discounted 20%). Such 
user selected aggregated information increments can 
reflect the actual requirements of a user for 
information and is more flexible than being limited 
to a single, or a few, high level, (e.g. product, 
document, database record) predetermined 
increments. Such high level increments may include 
quantities of information not desired by the user and 
as a result be more costly than the subset of 
information needed by the user if such a subset was 
available. In sum, the present invention allows 
information contained in electronic information 
products to be supplied according to user 
specification. Tailoring to user specification allows 
the present invention to provide the greatest value to 
users, which in turn will generate the greatest 
amount of electronic commerce activity. The user, 
for example, would be able to define an aggregation 
of content derived from various portions of an 
available content product, but which, as a 
deliverable for use by the user, is an entirely unique 
aggregated increment. The user may, for example, 
select certain numbers of bytes of information from 
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various portions of an information product, such as a 
reference work, and copy them to disc in 
unencrypted form and be billed based on total 
number of bytes plus a surcharge on the number of 
5 "articles* that provided the bytes. A content 

provider might reasonably charge less for such a 
user defined information increment since the user 
does not require all of the content from all of the 
articles that contained desired information. This 
10 process of defining a user desired information 

increment may involve artificial intelligence 
database search tools that contribute to the location 
of the most relevant portions of information from an 
information product and cause the automatic display 
15 to the user of information describing search criteria 

hits for user selection or the automatic extraction 
and delivery of such portions to the user. VDE 
further supports a wide variety of predefined 
increment types including: 
20 ! bytes, 

images, 

content over time for audio or video, or any 
. other increment that can be identified by content 
provider data mapping efforts, such as: 
25 ! sentences, 
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paragraphs, 
! articles, 
! database records, and 

byte offsets representing increments of 
logically related information. 
VDE supports as many simultaneous predefined increment 
as may be practical for a given type of content and business 
model 



securely store at a user's site potentially highly 
detailed information reflective of a user's usage of a 
variety of different content segment types and 
employing both inexpensive "exposed" host mass 
storage for maintaining detailed information in the 
form of encrypted data and maintaining summary 
information for security testing in highly secure 
special purpose VDE installation nonvolatile 
memory (if available). 



support trusted chain of handling capabilities for 
pathways of distributed electronic information 
and/or for content usage related information. Such 
chains may extend, for example, from a content 
creator, to a distributor, a redistributor, a client 
user, and then may provide a pathway for securely 



reporting the same and/or differing usage 
information to one or more auditors, such as to one 
or more independent clearinghouses and then back 
to the content providers, including content creators. 
The same and/or different pathways employed for 
certain content handling, and related content control 
information and reporting information handling, 
may also be employed as one or more pathways for 
electronic payment handling (payment is 
characterized in the present invention as 
administrative content) for electronic content and/or 
appliance usage. These pathways are used for 
conveyance of all or portions of content, and/or 
content related control information. Content 
creators and other providers can specify the 
pathways that, partially or fully, must be used to 
disseminate commercially distributed property 
content, content control information, payment 
administrative content, and/or associated usage 
reporting information. Control information specified 
by content providers may also specify which specific 
parties must or may (including, for example, a group 
of eligible parties from which a selection may be 
made) handle conveyed information. It may also 
specify what transmission means (for example 
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telecommunication carriers or media types) and 
transmission hubs must or may be used. 

support flexible auditing mechanisms, such as 
employing -bitmap meters," that achieve a high 
degree of efficiency of operation and throughput and 
allow, in a practical manner, the retention and ready 
recall of information related to previous usage 
activities and related patterns. This flexibility is 
adaptable to a wide variety of billing and security 
control strategies such as: 
P upgrade pricing (e.g. suite purchases), 
P pricing discounts (including quantity 
discounts), 

P billing related time duration variables such as 
discounting new purchases based on the 
timing of past purchases, and 

P security budgets based on quantity of 

different, logically related units of electronic 
information used over an interval of time. 

Use of bitmap meters (including "regular" and "wide" 
bitmap meters) to record usage and/or purchase of 
information, in conjunction with other elements of 
the preferred embodiment of the present invention, 



uniquely supports efficient maintenance of usage 
history for: (a) rental, (b) flat fee licensing or 
purchase, (c) licensing or purchase discounts based 
upon historical usage variables, and (d) reporting to 
users in a manner enabling users to determine 
whether a certain item was acquired, or acquired 
within a certain time period (without requiring the 
use of conventional database mechanisms, which are 
highly inefficient for these applications). Bitmap 
meter methods record activities associated with 
electronic appliances, properties, objects, or portions 
thereof, and/or administrative activities that are 
independent of specific properties, objects, etc., 
performed by a user and/or electronic appliance such 
that a content and/or appliance provider and/or 
controller of an administrative activity can 
determine whether a certain activity has occurred at 
some point, or during a certain period, in the past 
(for example, certain use of a commercial electronic 
content product and/or appliance). Such 
determinations can then be used as part of pricing 
and/or control strategies of a content and/or 
appliance provider, and/or controller of an 
administrative activity. For example, the content 
provider may choose to charge only once for access to 
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a portion of a property, regardless of the number of 
times that portion of the property is accessed by a 
user. 

support -launchable" content, that is content that 
can be provided by a content provider to an end-user, 
who can then copy or pass along the content to other 
end-user parties without requiring the direct 
participation of a content provider to register and/or 
otherwise initialize the content for use. This content 
goes "out of (the traditional distribution) channel" in 
the form of a "traveling object." Traveling objects are 
containers that securely carry at least some 
permissions information and/or methods that are 

required for their use (such methods need not be 
carried by traveling objects if the required methods 
will be available at, or directly available to, a 
destination VDE installation). Certain travelling 
objects may be used at some or all VDE installations 
of a given VDE arrangement since they can make 
available the content control information necessary 
for content use without requiring the involvement of 
a commercial VDE value chain participant or data 
security administrator (e.g. a control officer or 
network administrator). As long as traveling object 
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control information requirements are available at 
the user VDE installation secure subsystem (such as 
the presence of a sufficient quantity of financial 
credit from an authorized credit provider), at least 
5 some travelling object content may be used by a 

receiving party without the need to establish a 
connection with a remote VDE authority (until, for 
example, budgets are exhausted or a time content 
usage reporting interval has occurred). Traveling 

10 objects can travel a out-of-channel, w allowing, for 

example, a user to give a copy of a traveling object 
whose content is a software program, a movie or a 
game, to a neighbor, the neighbor being able to use 
the traveling object if appropriate credit (e.g. an 

15 electronic clearinghouse account from a 

clearinghouse such as VISA or AT&T) is available. 
Similarly, electronic information that is generally 
available on an Internet, or a similar network, 
repository might be provided in the form of a 

20 traveling object that can be downloaded and 

subsequently copied by the initial downloader and 
then passed along to other parties who may pass the 
object on to additional parties. 
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provide very flexible and extensible user 
identification according to individuals, installations, 
by groups such as classes, and by function and 
hierarchical identification employing a hierarchy of 
levels of client identification (for example, client 
organization ID, client department ID, client 
network ID, client project ID, and client employee 
ID, or any appropriate subset of the above). 

provide a general purpose, secure, component based 
content control and distribution system that 
functions as a foundation transaction operating 
system environment that employs executable code 
pieces crafted for transaction control and auditing. 
These code pieces can be reused to optimize 
efficiency in creation and operation of trusted, 
distributed transaction management arrangements. 
VDE supports providing such executable code in the 
form of "atomic" load modules and associated data. 
Many such load modules are inherently configurable, 
aggregatable, portable, and extensible and 
singularly, or in combination (along with associated 
data), run as control methods under the VDE 
transaction operating environment. VDE can satisfy 
the requirements of widely differing electronic 



commerce and data security applications by, in part, 
employing this general purpose transaction 
management foundation to securely process VDE 
transaction related control methods. Control 
methods are created primarily through the use of 
one or more of said executable, reusable load module 
code pieces (normally in the form of executable object 
components) and associated data. The component 
nature of control methods allows the present 
invention to efficiently operate as a highly 
configurable content control system. Under the 
present invention, content control models can be 
iteratively and asynchronously shaped, and 
otherwise updated to accommodate the needs of VDE 
participants to the extent that such shaping and 
otherwise updating conforms to constraints applied 
by a VDE application, if any (e.g., whether new 
component assemblies are accepted and, if so, what 
certification requirements exist for such component 
assemblies or whether any or certain participants 
may shape any or certain control information by 
selection amongst optional control information 
(permissions record) control methods. This iterative 
(or concurrent) multiple participant process occurs 
as a result of the submission and use of secure, 



WO 96/27155 



PCT/US96/02303 



10 



15 



20 



25 



control information components (executable code 
such as load modules and/or methods, and/or 
associated data). These components may be 
contributed independently by secure communication 
between each control information influencing VDE 
participant's VDE installation and may require 
certification for use with a given application, where 
such certification was provided by a certification 
service manager for the VDE arrangement who 
ensures secure interoperability and/or reliability 
(e.g., bug control resulting from interaction) between 
appliances and submitted control methods. The 
transaction management control functions of a VDE 
electronic appliance transaction operating 
environment interact with non-secure transaction 
management operating system functions to properly 
direct transaction processes and data related to 
electronic information security, usage control, 
auditing, and usage reporting. VDE provides the 
capability to manages resources related to secure 
VDE content and/or appliance control information 
execution and data storage. 

facilitate creation of application and/or system 
functionality under VDE and to facilitate integration 



into electronic appliance environments of load 
modules and methods created under the present 
invention. To achieve this, VDE employs an 
Application Programmer's Interface (API) and/or a 
transaction operating system (such as a ROS) 
programming language with incorporated functions, 
both of which support the use of capabilities and can 
be used to efficiently and tightly integrate VDE 
functionality into commercial and user applications. 

support user interaction through: (a) *Pop-Up" 
applications which, for example, provide messages to 
users and enable users to take specific actions such 
as approving a transaction, (b) stand-alone VDE 
applications that provide administrative 
environments for user activities such as; end-user 
preference specifications for limiting the price per 
transaction, unit of time, and/or session, for 
accessing history information concerning previous 
transactions, for reviewing financial information 
such as budgets, expenditures (e.g. detailed and/or 
summary) and usage analysis information, and (c) 
VDE. aware applications which, as a result of the use 
of a VDE API and/or a transaction management (for 
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example, ROS based) programming language 
embeds VDE "awareness" into commercial or 
internal software (application programs, games, etc.) 
so that VDE user control information and services 
are seamlessly integrated into such software and can 
be directly accessed by a user since the underlying 
functionality has been integrated into the 
commercial software's native design. For example, 
in a VDE aware word processor application, a user 
may be able to "print" a document into a VDE 
content container object, applying specific control 
information by selecting from amongst a series of 
different menu templates for different purposes (for 
example, a confidential memo template for internal 
organization purposes may restrict the ability to 
"keep," that is to make an electronic copy of the 
memo). 



employ "templates" to ease the process of configuring 
capabilities of the present invention as they relate to 
specific industries or businesses. Templates are 
applications or application add-ons under the 
present invention. Templates support the efficient 
specification and/or manipulation of criteria related 
to specific content types, distribution approaches, 



pricing mechanisms, user interactions with content 
and/or administrative activities, and/or the like. 
Given the very large range of capabilities and 
configurations supported by the present invention, 
reducing the range of configuration opportunities to 
a manageable subset particularly appropriate for a 
given business model allows the full configurable 
power of the present invention to be easily employed 
by "typical" users who would be otherwise burdened 
with complex programming and/or configuration 
design responsibilities template applications can also 
help ensure that VDE related processes are secure 
and optimally bug free by reducing the risks 
associated with the contribution of independently 
developed load modules, including unpredictable 
aspects of code interaction between independent 
modules and applications, as well as security risks 
associated with possible presence of viruses in such 
modules. VDE, through the use of templates, 
reduces typical user configuration responsibilities to 
an appropriately focused set of activities including 
selection of method types (e.g. functionality) through 
menu choices such as multiple choice, icon selection, 
and/or prompting for method parameter data (such 
as identification information, prices, budget limits, 



WO 96/27155 



PCT/US96/02303 



10 



20 



25 



dates, periods of time, access rights to specific 
content, etc.) that supply appropriate and/or 
necessary data for control information purposes. By 
limiting the typical (non-programming) user to a 
limited subset of configuration activities whose 
general configuration environment (template) has 
been preset to reflect general requirements 
corresponding to that user, or a content or other 
business model can very substantially limit 
difficulties associated with content containerization 
(including placing initial control information on 
content), distribution, client aclministration, 
electronic agreement implementation, end-user 
interaction, and clearinghouse activities, including 
15 associated interoperability problems (such as 

conflicts resulting from security, operating system, 
and/or certification incompatibilities). Use of 
appropriate VDE templates can assure users that 
their activities related to content VDE 
containerization, contribution of other control 
information, communications, encryption techniques 
and/or keys, etc. will be in compliance with 
specifications for their distributed VDE 
arrangement. VDE templates constitute preset 
configurations that can normally be reconfigurable 



to allow for new and/or modified templates that 
reflect adaptation into new industries as they evolve 
or to reflect the evolution or other change of an 
existing industry. For example, the template 
concept may be used to provide individual, overall 
frameworks for organizations and individuals that 
create, modify, market, distribute, consume, and/or 
otherwise use movies, audio recordings and live 
performances, magazines, telephony based retail 
sales, catalogs, computer software, information data 
bases, multimedia, commercial communications, 
advertisements, market surveys, infomercials, 
games, CAD/CAM services for numerically controlled 
machines, and the like. As the context surrounding 
these templates changes or evolves, template 
applications provided under the present invention 
may be modified to meet these changes for broad 
use, or for more focused activities. A given VDE 
participant may have a plurality of templates 
available for different tasks. A party that places 
content in its initial VDE container may have a 
variety of different, configurable templates 
depending on the type of content and/or business 
model^related to the content. An end-user may have 
different configurable templates that can be applied 
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to different document types (e-mail, secure internal 
documents, database records, etc.) and/or subsets of 
users (applying differing general sete of control 
information to different bodies of users, for example, 
selecting a list of users who may, under certain 
preset criteria, use a certain document). Of course, 
templates may, under certain circumstances have 
fixed control information and not provide for user 
selections or parameter data entry. 

support plural, different control models regulating 
the use and/or auditing of either the same specific 
copy of electronic information content and/or 
differently regulating different copies (occurrences) 
of the same electronic information content. Differing 
models for billing, auditing, and security can be 
applied to the same piece of electronic information 
content and such differing sets of control information 
may employ, for control purposes, the same, or 
differing, granularities of electronic information 
control increments. This includes supporting 
variable control information for budgeting and 
auditing usage as applied to a variety of predefined 
increments of electronic information, including 
employing a variety of different budgets and/or 



metering increments for a given electronic 
information deliverable for: billing units of measure, 
credit limit, security budget limit and security 
content metering increments, and/or market 
surveying and customer profiling content metering 
increments. For example, a CD-ROM disk with a 
database of scientific articles might be in part billed 
according to a formula based on the number of bytes 
decrypted, number of articles containing said bytes 
decrypted, while a security budget might limit the 
use of said database to no more than 5% of the 
database per month for users on the wide area 
network it is installed on. 

provide mechanisms to persistently maintain trusted 
content usage and reporting control information 
through both a sufficiently secure chain of handling 
of content and content control information and 
through various forms of usage of such content 
wherein said persistence of control may survive such 
use. Persistence of control includes the ability to 
extract information from a VDE container object by 
creating a new container whose contents are at least 
in part secured and that contains both the extracted 
content and at least a portion of the control 



information which control information of the original 
container and/or are at least in part produced by 
control information of the original container for this 
purpose and/or VDE installation control information 
stipulates should persist and/or control usage of 
content in the newly formed container. Such control 
information can continue to manage usage of 
container content if the container is "embedded" into 
another VDE managed object, such as an object 
which contains plural embedded VDE containers, 
each of which contains content derived (extracted) 
from a different source. 

enables users, other value chain participants (such 
as clearinghouses and government agencies), and/or 
user organizations, to specify preferences or 
requirements related to their use of electronic 
content and/or appliances. Content users, such as 
end-user customers using commercially distributed 
content (games, information resources, software 
programs, etc.), can define, if allowed by senior 
control information, budgets, and/or other control 
information, to manage their own internal use of 
content. Uses include, for example, a user setting a 
limit on the price for electronic documents that the 
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riser is willing to pay without prior express user 
authorization, and the user establishing the 
character of metering information he or she is 
willing to allow to be collected (privacy protection). 
5 This includes providing the means for content users 

to protect the privacy of information derived from 
their use of a VDE installation and content and/or 
appliance usage auditing. In particular, VDE can 
prevent information related to a participant's usage 
10 of electronic content from being provided to other 

parties without the participant's tacit or explicit 
agreement. 

! provide mechanisms that allow control information 
15 to "evolve* and be modified according, at least in 

part, to independently, securely delivered further 
control information. Said control information may 
include executable code (e.g., load modules) that has 
been certified as acceptable (e.g., reliable and 
20 trusted) for use with a specific VDE application, 

class of applications, and/or a VDE distributed 
arrangement. This modification (evolution) of 
control information can occur upon content control 
information (load modules and any associated data) 
25 circulating to one or more VDE participants in a 
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pathway of handling of control information, or it may 
occur upon control information being received from a 
VDE participant. Handlers in a pathway of 
handling of content control information, to the extent 
each is authorized, can establish, modify, and/or 
contribute to, permission, auditing, payment, and 
reporting control information related to controlling, 
analyzing, paying for, and/or reporting usage of, 
electronic content and/or appliances (for example, as 
related to usage of VDE controlled property content). 
Independently delivered (from an independent 
source which is independent except in regards to 
certification), at least in part secure, control 
information can be employed to securely modify 
content control information when content control 
information has flowed from one party to another 
party in a sequence of VDE content control 
information handling. This modification employs, 
for example, one or more VDE component assemblies 
being securely processed in a VDE secure subsystem. 
In an alternate embodiment, control information 
may be modified by a senior party through use of 
their VDE installation secure sub-system after 
receiving submitted, at least in part secured, control 
information from a "junior" party, normally in the 



form of a VDE administrative object. Control 
information passing along VDE pathways can 
represent a mixed control set, in that it may include: 
control information that persisted through a 
sequence of control information handlers, other 
control information that was allowed to be modified, 
and further control information representing new 
control information and/or mediating data. Such a 
control set represents an evolution of control 
information for disseminated content. In this 
example the overall content control set for a VDE 
content container is "evolving* as it securely (e.g. 
communicated in encrypted form and using 
authentication and digital signaturing techniques) 
passes, at least in part, to a new participant's VDE 
installation where the proposed control information 
is securely received and handled. The received 
control information may be integrated (through use 
of the receiving parties' VDE installation secure 
sub-system) with in-place control information 
through a negotiation process involving both control 
information sets. For example, the modification, 
within the secure sub-system of a content provider's 
VDE installation, of content control information for a 
certain VDE content container may have occurred as 
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a result of the incorporation of required control 
information provided by a financial credit provider. 
Said credit provider may have employed their VDE 
installation to prepare and securely communicate 
(directly or indirectly) said required control 
information to said content provider. Incorporating 
said required control information enables a content 
provider to allow the credit provider's credit to be 
employed by a content end-user to compensate for 
the end-user's use of VDE controlled content and/or 
appliances, so long as said end-user has a credit 
account with said financial credit provider and said 
credit account has sufficient credit available. 
Similarly, control information repairing the payment 
of taxes and/or the provision of revenue information 
resulting from electronic commerce activities may be 
securely received by a content provider. This control 
information may be received, for example, from a 
government agency. Content providers might be 
required by law to incorporate such control 
information into the control information for 
commercially distributed content and/or services 
related to appliance usage. Proposed control 
information is used to an extent allowed by senior 
control information and as determined by any 



negotiation trade-offs that satisfy priorities 
stipulated by each set (the received set and the 
proposed set). VDE also accommodates different 
control schemes specifically applying to different 
participants (e.g., individual participants and/or 
participant classes (types)) in a network of VDE 
content handling participants. 

support multiple simultaneous control models for the 
same content property and/or property portion. 
This allows, for example, for concurrent business 
activities which are dependent on electronic 
commercial product content distribution, such as 
acquiring detailed market survey information and/or 
supporting advertising, both of which can increase 
revenue and result in lower content costs to users 
and greater value to content providers. Such control 
information and/or overall control models may be 
applied, as determined or allowed by control 
information, in differing manners to different 
participants in a pathway of content, reporting, 
payment, and/or related control information 
handling. VDE supports applying different content 
control information to the same and/or different 
content and/or appliance usage related activities, 
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and/or to different parties in a content and/or 
appliance usage model, such that different parties 
(or classes of VDE users, for example) are subject to 
differing control information managing their use of 
electronic information content. For example, 
differing control models based on the category of a 
user as a distributor of a VDE controlled content 
object or an end-user of such content may result in 
different budgets being applied. Alternatively, for 
example, a one distributor may have the right to 
distribute a different array of properties than 
another distributor (from a common content 
collection provided, for example, on optical disc). An 
individual, and/or a class or other grouping of 
end-users, may have different costs (for example, a 
student, senior citizen, and/or poor citizen user of 
content who may be provided with the same or 
differing discounts) than a "typical" content user. 



support provider revenue information resulting from 
customer use of content and/or appliances, and/or 
provider and/or end-user payment of taxes, through 
the transfer of credit and/or electronic currency from 
said end-user and/or provider to a government 
25 agency, might occur "automatically" as a result of 



such received control information causing the 
generation of a VDE content container whose 
content includes customer content usage information 
reflecting secure, trusted revenue summary 
information and/or detailed user transaction listings 
(level of detail might depend, for example on type or 
size of transaction — information regarding a bank 
interest payment to a customer or a transfer of a 
large (e.g. over $10,000) might be, by law, 
automatically reported to the government). Such 
summary and/or detailed information related to 
taxable events and/or currency, and/or creditor 
currency transfer, may be passed along a pathway of 
reporting and/or payment to the government in a 
VDE container. Such a container may also be vised 
for other VDE related content usage reporting 
information. 

support the flowing of content control information 
through different "branches* of content control 
information handling so as to accommodate, tinder 
the present invention's preferred embodiment, 
diverse controlled distributions of VDE controlled 
content. This allows different parties to employ the 
same initial electronic content with differing 
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(perhaps competitive) control strategies. In this 
instance, a party who first placed control information 
on content can make certain control assumptions 
and these assumptions would evolve into more 
specific and/or extensive control assumptions. These 

control assumptions can evolve during the brandling 
sequence upon content model participants 
submitting control information changes, for example, 
for use in "negotiating" with "in place" content 

control information. This can result in new or 
modified content control information and/or it might 
involve the selection of certain one or more already 
"in-place" content usage control methods over 
in-place alternative methods, as well as the 
15 submission of relevant control information 

parameter data. This form of evolution of different 
control information sets applied to different copies of 
the same electronic property content and/or 
appliance results from VDE control information 
flowing "down" through different branches in an 
overall pathway of handling and control and being 
modified differently as it diverges down these 
different pathway branches. This ability of the 
present invention to support multiple pathway 
25 branches for the flow of both VDE content control 
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